Then again, paper can't leak as easily as a database
Are the security requirements of HIPAA good? (genuinely wondering: your data goes to tons of organizations, any of them could use a not properly secured database and leak it. And are the requirements good both in the technology and practices, as who's accountable?)
I'd say they're not bad.
Any data processing by a third party must be done under a Business Associate Agreement (BAA), which transfers responsibility under HIPAA with the same rules and regulations to the third party. There's always a chain of liability when processing PII, traceable back to the PCP (primary care provider).
The regulations also leave things open ended in terms of specific ciphers etc, stating "industry standard" encryption at rest and in motion (i.e. transport security) must be used, for whatever definition of industry standard is correct.
As for privacy, exfil of PII even in non-digitized establishments is still covered (hence why there is typically also a Privacy Officer appointed with a HIPAA complaint org, distinct from a Security Officer, both being actual terms and certifications being handed out by certification bodies). That covers general privacy and a much larger scope, and applies to any healthcare establishment - not just those who use computers.
Cryptographic audit trail requirements, third party audits and reviews, a slew of other software certifications (some even from the government, such as Meaningful Use), etc all exist to help with that mission.
As for who's accountable, it's always tied to the processor of the information, and "breaches", which are violations of either privacy or security policy, must be reported all the way back up the chain in a timely matter, and in the event the breach might cause risk of harm or disclosure, must also be reported to a regulatory body (I forget which), in which case the offending party must pay a fine. There's insurance for these scenarios, I forgot if it's compulsory. But it racks up fast, and IIRC you're liable in most cases for damages up to a ceiling, somewhere in the 9 figure range.
What's more is that there's also Qui Tam lawsuits which, as I understand things, can be brought against an offending healthcare establishment by a whistleblower of sorts (i.e. a third party who observes a breach, without being part of the chain of responsibility (the healthcare establishment) nor affected by the breach) on behalf of individuals harmed by said breach. As far as I know, anyone can do this.
IMO, for what it tries to do, I think it does an okay job. It's a really difficult thing to generalize and standardize given not only the flux of technology but also the fact that you still want independent innovation in the space without regulatory overreach.
(This is a massive oversimplification of my slightly outdated knowledge of this as I've been out of the US healthcare field for a while now)